21 matches found
From Operating Model to Product: How We Built the ROC for Detection-Speed Remediation
In the first article in this series, we made the case for a prevention-led operating model. This article is about what happened next: the decision to build something that did not exist, and what it took to make it real. Turning an operating model into a product sounds straightforward until you ar...
[Webinar] How to Close Identity Gaps in 2026 Before AI Exploits Enterprise Risk
In the rapid evolution of the 2026 threat landscape, a frustrating paradox has emerged for CISOs and security leaders: Identity programs are maturing, yet the risk is actually increasing. According to new research from the Ponemon Institute , hundreds of applications within the typical enterprise...
A New Maturity Model for Browser Security: Closing the Last-Mile Risk
Despite years of investment in Zero Trust, SSE, and endpoint protection, many enterprises are still leaving one critical layer exposed: the browser. It's where 85% of modern work now happens. It's also where copy/paste actions, unsanctioned GenAI usage, rogue extensions, and personal devices crea...
Securing Agentic AI: a Comprehensive Threat Model and Mitigation Framework for Generative AI Agents
As generative AI GenAI agents become more common in enterprise settings, they introduce security challenges that differ significantly from those posed by traditional systems. These agents are not just LLMs; they reason, remember, and act, often with minimal human oversight. This paper introduces ...
NIST Cybersecurity Framework 2.0
NIST has released version 2.0 of the Cybersecurity Framework: The CSF 2.0, which supports implementation of the National Cybersecurity Strategy, has an expanded scope that goes beyond protecting critical infrastructure, such as hospitals and power plants, to all organizations in any sector. It al...
Manage Enterprise Risk at Scale with a Unified, Holistic Approach
The rapid pace of technological change and the attendant rise of cyber threats in both speed and number leave most organizations at a disadvantage. Historically, many firms faced this challenge simply by purchasing more technology in the hopes that the latest threat protection software would keep...
New SEC Rules around Cybersecurity Incident Disclosures
The US Securities and Exchange Commission adopted final rules around the disclosure of cybersecurity incidents. There are two basic rules: 1. Public companies must "disclose any cybersecurity incident they determine to be material" within four days, with potential delays if there is a national...
The New Frontier of Enterprise Risk: Nth Parties
By Ran Nahmias, Co-Founder and CBO, Cyberpion The concept of risk in enterprise IT is constantly evolving. And considering recent findings, it’s clear that there’s a risk frontier that’s been underestimated – Nth party risk. Traditional enterprise risk management has focused on two domains:...
How nation-state attackers like NOBELIUM are changing cybersecurity
This is the first post in a four-part series on the NOBELIUM nation-state cyberattack. Microsoft started telling the industry about this extremely advanced cyberattack in December 2020. The NOBELIUM blog series—which mirrors Microsoft’s four-part video series “Decoding NOBELIUM”—will pull the...
Unspecified Vulnerability in IBM OpenPages GRC Platform
IBM OpenPages GRC Platform is a suite of platforms for managing enterprise risk and compliance from IBM in the United States. The platform provides a set of core services and functional components that cover the risk and compliance domain including operational risk, policy and compliance, financi...
Archer Path Disclosure Vulnerability
RSA Archer is the GRC Enterprise Risk Management Suite. A path disclosure vulnerability exists in Archer versions prior to 6.8 P2. An attacker could exploit this vulnerability to obtain sensitive information that could be used to launch further attacks...
Establishing risk appetite is key to effective risk management
The mission of an enterprise risk management program is to respond to and monitor risks to the enterprises operations and objectives. In order to properly respond to and monitor risks, the enterprise must establish risk appetite thresholds. Well-established and well-communicated risk appetite...
RSA Conference 2019: NIST's Privacy Framework Starts to Take Shape
Data privacy has been thrust into the limelight with the passage of the General Data Protection Regulation in Europe last year and a string of high-profile consumer privacy snafus. The National Institute of Standards and Technology has plans to help companies address data privacy with the...
QSC18: API Security, Enabling Innovation Without Enabling Attacks and Data Breaches
Without APIs, it would be near impossible to see enterprises being able to digitally transform themselves. After all, APIs are the connective-tissue between applications and systems and they make the management, automation and consumption of technology possible at scale. APIs are what enable...
2017’s Biggest Threats and What CISOs Can do to Mitigate Risks in 2018
Enterprise Risk Management ERM is getting harder every day. According to the World Economic Forum‘s 2018 Global Risks Perception Survey, cyber attacks and data theft are 3 and 4 respectively of the top 5 likely risks organizations will face this year. This is not surprising, in 2017 CISOs the wor...
Building a Security Risk Management Program
The frequency of data breaches today highlights the need to peel back the onion on security programs and identify a laser-focused mission and ultimate goal. As a compliance manager, I know the horror stories first hand. Let’s take a deeper dive into security and risk management basics to enable...
SimpleRisk 20130915-01 - Multiple Vulnerabilities
No description provided by source. 1. Advisory Information Title: SimpleRisk v.20130915-01 CSRF-XSS Account Compromise Advisory ID: RS-2013-0001 Date Published: 2013-09-30 2. Vulnerability Information Type: Cross-Site Request Forgery CSRF CWE-352, OWASP-A8, Cross-Site Scripting XSS CWE-79, OWASP-...
Move Over Conficker, Web Threats are Top Enterprise Risk
Microsoft is ready to officially declare network worms passé for the enterprise. In its latest Security Intelligence Report, released Wednesday, Microsoft said that risks posed by Web-based threats to large, distributed network environments have surpassed malware such as Conficker. The report is...
Experts Say Attack on Crypto Tokens is Serious, But Not Catastrophic
A group of international academic researchers has made a major advance in the efficiency of a known cryptographic attack on some kinds of crypto hardware, enabling them to extract sensitive keys from tokens such as RSA SecurID and Aladdin eToken devices within 20 minutes. However, experts say tha...
Web site security needs a strategy
Someone begins watching a basketball game and asks who is winning. You might helpfully answer, “Lakers up 76 to 64.” Imagine if instead you said, “The Lakers are 60% from the field, have 12 rebounds, are 8 of 10 from the line, and the average height of the starting lineup is 6’7.” Sure, these are...